Debian Bug report logs -
#507193
CVE-2008-5278: Cross-site scripting (XSS) vulnerability
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 28 Nov 2008 23:57:01 UTC
Severity: important
Tags: patch, security
Fixed in version wordpress/2.5.1-11
Done: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#507193; Package wordpress.
(Fri, 28 Nov 2008 23:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Fri, 28 Nov 2008 23:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-5278[0]:
Cross-site scripting (XSS) vulnerability in the self_link function in
in the RSS Feed Generator (wp-includes/feed.php) for WordPress before
2.6.5 allows remote attackers to inject arbitrary web script or HTML
via the Host header (HTTP_HOST variable).
The upstream patch is here[1], look at the diff in wp-includes/feed.php.
(Although I guess it would have been easier to use htmlspecialchars(),
instead of writing an own function :) ).
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5278
http://security-tracker.debian.net/tracker/CVE-2008-5278
[1] http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new=#file2
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#507193; Package wordpress.
(Sat, 29 Nov 2008 18:27:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Extra info received and forwarded to list.
(Sat, 29 Nov 2008 18:27:10 GMT) (full text, mbox, link).
Message #10 received at 507193@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Package: wordpress
> Severity: important
> Tags: security, patch
>
> Hi,
>
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wordpress.
>
> CVE-2008-5278[0]:
> Cross-site scripting (XSS) vulnerability in the self_link function in
> in the RSS Feed Generator (wp-includes/feed.php) for WordPress before
> 2.6.5 allows remote attackers to inject arbitrary web script or HTML
> via the Host header (HTTP_HOST variable).
>
> The upstream patch is here[1], look at the diff in wp-includes/feed.php.
> (Although I guess it would have been easier to use htmlspecialchars(),
> instead of writing an own function :) ).
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
First of all thank you for reporting this.
Upstream's solution it's not so bad in my opinion. Moreover I think
using official patch should protect us from future bugs.
I'll have the new package ready for tomorrow.
Thank you again.
Cheers.
Andrea De Iacovo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#507193; Package wordpress.
(Sat, 29 Nov 2008 22:32:36 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Sat, 29 Nov 2008 22:32:38 GMT) (full text, mbox, link).
Message #15 received at 507193@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Andrea
> > If you fix the vulnerability please also make sure to include the
> > CVE id in your changelog entry.
>
> First of all thank you for reporting this.
>
> Upstream's solution it's not so bad in my opinion. Moreover I think
> using official patch should protect us from future bugs.
Don't get me wrong, I don't want to diverge from upstream, it's just that the
php functions are the standard for taking care of such things and upstream
should be taught to use them :)
> I'll have the new package ready for tomorrow.
Awesome, thanks for all your work with wordpress :)
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#507193; Package wordpress.
(Sun, 30 Nov 2008 11:34:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Extra info received and forwarded to list.
(Sun, 30 Nov 2008 11:34:01 GMT) (full text, mbox, link).
Message #20 received at 507193@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
New package ready.
http://www.firstbit.net/debian
Could you or Thijs (I'm ccing him) upload it?
Thanks a lot
Cheers.
Andrea
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#507193; Package wordpress.
(Sun, 30 Nov 2008 11:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Sun, 30 Nov 2008 11:51:05 GMT) (full text, mbox, link).
Message #25 received at 507193@bugs.debian.org (full text, mbox, reply):
Hi Andrea,
On Sun, November 30, 2008 12:33, Andrea De Iacovo wrote:
> New package ready.
> http://www.firstbit.net/debian
>
>
> Could you or Thijs (I'm ccing him) upload it?
I have changed the urgency to high and uploaded it.
Thank you for your work.
Thijs
Reply sent
to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
You have taken responsibility.
(Sun, 30 Nov 2008 12:32:39 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Sun, 30 Nov 2008 12:32:40 GMT) (full text, mbox, link).
Message #30 received at 507193-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.5.1-11
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.5.1-11.diff.gz
to pool/main/w/wordpress/wordpress_2.5.1-11.diff.gz
wordpress_2.5.1-11.dsc
to pool/main/w/wordpress/wordpress_2.5.1-11.dsc
wordpress_2.5.1-11_all.deb
to pool/main/w/wordpress/wordpress_2.5.1-11_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 507193@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea De Iacovo <andrea.de.iacovo@gmail.com> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 30 Nov 2008 11:26:39 +0100
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-11
Distribution: unstable
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Description:
wordpress - weblog manager
Closes: 507193
Changes:
wordpress (2.5.1-11) unstable; urgency=high
.
* Added 011CVE2008-5278.patch. (Closes: #507193)
Upstream patch for XSS in feed.php self_link function was
implemented. (CVE-2008-5278)
Checksums-Sha1:
55562bb4c45131288d540bfa2b205b19f61f1e92 1315 wordpress_2.5.1-11.dsc
921af6831317bca44d1f7f34469ad2e279570427 698118 wordpress_2.5.1-11.diff.gz
6739df7753778129b28f01b78ade9140a1269798 1032134 wordpress_2.5.1-11_all.deb
Checksums-Sha256:
f8a94bf9c638ef2d1301be1ab858eb585b7378c84f0bf24d542af88eec8a0439 1315 wordpress_2.5.1-11.dsc
dc7ba8af0f2c46f1b68ca9e790d9cbee8bd21e55cf932b5ef7eeb2c0c6b5ec24 698118 wordpress_2.5.1-11.diff.gz
1864a1f00c848eda1903f13d2d03c6906b20dec5659e4a9c30776d5e86254e4f 1032134 wordpress_2.5.1-11_all.deb
Files:
e65becca5eb5d8d44fac3308e118f6f3 1315 web optional wordpress_2.5.1-11.dsc
fe62a3cad1e93a74c883b2e8965ed172 698118 web optional wordpress_2.5.1-11.diff.gz
cdc86192b85e96c3b7e47ad53b3af607 1032134 web optional wordpress_2.5.1-11_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJMnwNAAoJEGz0hbPcukPfhlwH/2aPIHd5Gx1BN7WW15iVIbYo
MhtWeTa8QSds/5fSq4dwItk/wIp/orG8tAFzLSA3yRpcYGT9cPJP4iQxX++5hQOZ
1Z1FkBYUfx+AKovPNVtDscYsrQeNGbi+IUhG7609F3zZ228iM/fh4D9HPC5X/4Ji
5gQEOZHErvB7ISBUvhU6TeaDu+KLflUiwliOIfbT+TYZi40kIy3YrZ2qKueZ1W1H
zr8/2dHz6HuG+4MIJRprd24guJ3zEMqAC6FBREiW44XLr9cDRzMEiISwRAtlMR4B
O+6AZAyxjeqvQDpcOmoIIqHZq7HCMs9bEkcDp/uH5qKYdjdo5+70xTDjx52PB+8=
=2rkM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 06 Jan 2009 07:38:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:00:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon